Adding Desktop Apps using the Admin Portal

The Desktop App feature in Centrify Privileged Access Service launches a Windows application (for instance, applications such as SQL Server Management Studio, TOAD for Oracle, and VMware vSphere Client) on an instance of a Windows Server.

The Desktop App feature is built on RemoteApp from Microsoft Remote Desktop Services (formerly known as Terminal Services), to stream the application running on the Windows Server to the user’s endpoint. User credentials are passed to the application so users do not need to checkout passwords. Desktop applications are configured from the Centrify Admin Portal and are also launched from the Admin Portal. Centrify Privileged Access Service controls:

  • Who can use the feature.
  • Which instance of Windows Server is targeted to run Remote Desktop Services.
  • The account context for the target desktop and application.
  • The command line used to launch the application (this may include account credentials for the application and a connection target such as an SQL Server database).

Note:   To prevent users from launching additional applications within a desktop app session, Microsoft best practice is to use AppLocker to control which applications are allowed within a session. For more information on AppLocker, see https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759117(v=ws.11).

Microsoft Windows Server runs the remote desktop and the application for the user using Remote Desktop Services. Microsoft requires you to have the appropriate licensing in place for Remote Desktop Services. Centrify does not provide the Remote Desktop Services licenses; you must get the licenses directly from Microsoft. In order to use the Windows RemoteApp feature, the following Microsoft licenses must be available for every Windows/domain user configured to log in to the host Windows Server:

  • A Client Access License (CAL) for Microsoft Windows Server.

    This licenses the configured user to log in to an instance of the Windows Server and launch both the desktop and the application.

  • A Client Access License (CAL) for Microsoft Remote Desktop Services.

    This licenses the configured user to stream the remote desktop session to their computer.

You will need one of each of these licenses for each configured user (not concurrent user). Depending on your environment and Microsoft licensing, you may be able to choose between user CAL (for configured users) or device CAL (for Centrify connectors). Check with your Microsoft licensing specialist.

For additional information, see the following licensing guidance from Microsoft:

For more information about adding and managing specific desktop apps, see the following topics:

Note:   For the Privileged Access Service implementation of keyboard shortcuts for desktop apps, see Using the default web-based client.